an overview of jml tools and applications lilian burdy gemplus yoonsik cheon, gary leavens iowa...
Post on 19-Dec-2015
215 views
TRANSCRIPT
![Page 1: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/1.jpg)
An overview of JMLtools and applications
Lilian Burdy Gemplus
Yoonsik Cheon, Gary Leavens Iowa Univ.
David Cok Kodak Michael Ernst MIT
Rustan Leino Microsoft Joe Kiniry, Erik Poll Nijmegen Univ.
![Page 2: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/2.jpg)
Erik Poll JML tools & applications 2
Overview
1. The JML language
2. Tools for JML
3. Applications
4. Conclusions
![Page 3: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/3.jpg)
1. The JML language
![Page 4: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/4.jpg)
Erik Poll JML tools & applications 4
Java Modeling Language
• Initiative of Gary Leavens [Iowa State Univ.]
• Behavioural Interface Specification Language for Java: annotations added to Java programs, expressing pre-, postconditions, invariants...
• Inspired by Eiffel (Design-by-Contract) & Larch
• Main design goal: easy to learn– simple extension of Java’s syntax
![Page 5: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/5.jpg)
Erik Poll JML tools & applications 5
JML example
private int balance;final static int MAX_BALANCE;
/*@ invariant 0 <= balance && balance < MAX_BALANCE; @*/
![Page 6: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/6.jpg)
Erik Poll JML tools & applications 6
JML example
/*@ requires amount >= 0; assignable balance; ensures balance == \old(balance) –
amount; signals (PurseException) balance == \old(balance); @*/public void debit(int amount) {....}
![Page 7: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/7.jpg)
Erik Poll JML tools & applications 7
JML example
private byte[] pin; private byte appletState;
/*@ invariant appletState == PERSONALIZED
==> pin != null && pin.length == 4 && (\forall int i; 0 <= i && i < 4 ; 0 <= pin[i] && pin[i] <= 9); @*/
![Page 8: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/8.jpg)
2. Tools for JML
![Page 9: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/9.jpg)
Erik Poll JML tools & applications 9
Tools for JML
• tools for reading & writing specs• tools for generating specs• tools for checking implementation
against specs
![Page 10: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/10.jpg)
Erik Poll JML tools & applications 10
Tools for reading & writing specs
• parsing & typechecking (as part of other tools)
• jmldoc: javadoc for JML
![Page 11: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/11.jpg)
Erik Poll JML tools & applications 11
Tools for generating specs
• Invariant detection using Daikon [Michael Ernst, MIT]
Daikon observes execution of code to detect likely invariants
![Page 12: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/12.jpg)
Erik Poll JML tools & applications 12
Tools for checking specs (I)
• Runtime assertion checker [Gary Leavens et al., Iowa State Univ.]
tests if specs are violated at runtime– not so exciting for academia, but
appealing to industry – well-specified code is easy to test !
• runtime checker handles \forall and \old
– jmlunit: tool combining runtime checking with unit testing
![Page 13: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/13.jpg)
Erik Poll JML tools & applications 13
Tools for checking specs (II)
• Extended static checker ESC/Java [Rustan Leino et al., ex-Compaq]
automatic verification of simple properties– not sound, not complete, but finds lots
of bugs quickly– eg. can “prove” absence of NullPointer-
and ArrayIndexOutOfBoundsExceptions
• Chase tool [Nestor Cataño, INRIA] remedies one important source of unsoundness
![Page 14: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/14.jpg)
Erik Poll JML tools & applications 14
Tools for checking specs (III)
“Real” program verification
• JACK tool [Gemplus]
automatic verification of JML-annotated code
Inspired by ESC/Java, integrated with Eclipse
• LOOP tool [Nijmegen] interactive verification of JML-annotated
code
• Krakatoa tool [INRIA/Orsay] for interactive verification now also supports JML
![Page 15: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/15.jpg)
Erik Poll JML tools & applications 15
Tools for checking specs
There is a range of tools offering different levels of assurance at different costs (ie. time & effort):
– runtime assertion checking– extended static checking using
ESC/Java– automatic verification using JACK– interactive verification using LOOP,
Krakatoa
![Page 16: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/16.jpg)
3. Applications
![Page 17: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/17.jpg)
Erik Poll JML tools & applications 17
JavaCard
• Subset of a superset of Java for programming smart cards– no floats, no threads, limited API, optional gc, ...
+ support for allocation in EEPROM or RAM • Ideal target for formal methods
• small programs, written in simple language, using small API, whose correctness is critical
• highest levels of security evaluation standards require use of formal methods (Common Criteria)
![Page 18: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/18.jpg)
Erik Poll JML tools & applications 18
Applications of JML to JavaCardas part of project
• Writing JML specs of JavaCard API [Cardis’00]
• Checking applets using ESC/Java [FME’02]– 1000’s of lines of code
• Verifying applets using LOOP [AMAST’02]– 100’s of lines of code
• Runtime checking part of smartcard OS [Cardis’02]
![Page 19: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/19.jpg)
4. Conclusions
![Page 20: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/20.jpg)
Erik Poll JML tools & applications 20
Assertion-based languages promising way to use formal methods in
industry
• Familiar syntax and semantics
• No need for formal model (code is formal model)
• Easy to introduce use incrementally
NB: JML does not provide or impose any design methodolody
![Page 21: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/21.jpg)
Erik Poll JML tools & applications 21
What to specify ?
• Detailed functional specs often too difficult
• Just establishing weak specs, eg. requires .... ensures true; signals (NullPointerException) false; often suffices to expose most invariants
• Invariants make explicit many design decisions that are typically undocumented
![Page 22: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/22.jpg)
Erik Poll JML tools & applications 22
Using JML for JavaCard applets
• For smartcard applets, verifying simple “safety” properties (eg. absence of certain exceptions) with JACK or ESC/Java has good return-on-investment
• Verification has found errors not found during testing
• Using JML tools to help manual code reviews when certifying code ?
![Page 23: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/23.jpg)
Erik Poll JML tools & applications 23
JML
• Lots of ongoing work and open issues about JML, eg.– tricky questions about semantics– concurrency ?– alias control & ownership models ?
• Agreeing on common syntax & semantics is hard work! (witnessed by upcoming patch of ESC/Java)
• Most tools just support subsets of JML • JML as standard or as vehicle for
research ?
![Page 24: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/24.jpg)
Erik Poll JML tools & applications 24
JML
• Having a common specification language supported by different tools important benefit – for individual tool builders, and– for users
• JML is an open collaborative effort, and we welcome cooperation with others
![Page 25: An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d3a5503460f94a1459e/html5/thumbnails/25.jpg)
More info:
www.jmlspecs.org